ARTICLE
2 May 2025

Data Access For AI Systems

WT
Wolf Theiss

Contributor

We have built our reputation on unrivalled local knowledge which is supported by strong international capabilities.

With over 400 lawyers in 13 countries, over 80% of the firm’s work involves cross-border representation of international clients.

We have concentrated our energies on a unique part of the world: the complex, fast-developing markets of the CEE/SEE region. Through our international network of offices, we work closely with our clients to develop innovate solutions that integrate legal, financial, and business know-how.

The use of artificial intelligence (AI) is already bringing about fundamental changes. The backbone for the development of these systems is large amounts of data needed to train AI models...
Austria Technology

Data access rules as the backbone of AI

The use of artificial intelligence (AI) is already bringing about fundamental changes. The backbone for the development of these systems is large amounts of data needed to train AI models and derive "intelligence" from them. However, the full potential of the immense volume of data that is generated on a global scale, often remains unused due to issues involving data rights and data access.

Recent legislative initiatives by the EU seek to remove legal barriers for tapping into the potential of data. With the AI Act, the EU was the first major economy in the world to create a standardised legal framework for the safe and ethically justifiable use and handling of AI. The EU's data strategy also aims to lay the foundations for the use of (machine) data. The Data Governance Act establishes structures that enable the voluntary exchange of data and the Data Act aims to better utilise the economic potential of the growing volume of data and promote a competitive data market.

One of the central provisions of the Data Act is the promotion of data access and the partly mandatory transfer of data from companies to consumers (B2C) and between companies (B2B). Users of networked products ("IoT devices"), businesses and consumers alike, can request the data owner to provide data generated through the use of such devices, including to third-party recipients. This will make it easier for small and medium-sized enterprises (SMEs) to access data that was previously mostly controlled by larger companies as data controllers. Improved data portability will also enable new, data-driven business models to be developed, which in turn will support the development and use of AI systems.

AI models are of great importance for IoT devices, as they can significantly expand their functionalities through data analyses and automation. For example, chatbots often use AI models to make conversations with users more intuitive. In principle, the obligation to provide data in this case also includes data generated by the AI model that would have to be provided to the user or a third party. However, the Data Act restricts disclosure obligations in accordance with the data protection law, intellectual property rights and trade secrets. Defining what and how much of it may be shared, will be one of the challenges at the intersection between AI models, the Data Act and IP rights.

In addition, data owners will now only be allowed to process or use certain product data and associated service data on the basis of a contractual agreement with the user. The de facto data ownership of the data owner that has often been practiced to date will be replaced by data license agreements with users. Other types of data use – including for the training of AI – will be inadmissible. Clauses on data access and data use will be subject to abuse controls under the Data Act.

Companies must therefore adapt their applications and data management systems to the requirements of the Data Act by 12 September 2025. This includes technical adjustments to ensure data access ("access-by-design") and data interoperability, as well as the implementation of transparency obligations. If processing also involves personal data, companies must comply with the requirements of the General Data Protection Regulation (GDPR). Non-compliance may entail fines of up to EUR 20 million or 4 per cent of annual global turnover under the Data Act, similar to the data protection law.

Originally Published 17 July 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More